Thursday, June 29, 2017

opmsg saving you from OpenSSH 0days

As I am interested in Crypto and its implementation,being it my own projects or competing ones, I often take a deeplookinto the OpenSSL and LibreSSL projects to estimatewhat can potentially go wrong and where special caremust be taken while swimming with sharks.

I have already written and complained here in past about theshiny OpenSSL 1.1 API changes. I think its safe to say that opmsgand drops have been the first larger projects being neatlyported to the 1.1 API, while still being aligned to olderOpenSSL installations and LibreSSL, cross platform of course.How many projects do you know - and heavily use libcrytoor libssl - can do that?OpenSSH for example can't. OpenSSH-portable on Linux sufferedsimilar hard times due to the new 1.1 API. No pain, no gain.While OpenSSH upstream declined to makeOpenSSH-portable ready for the 1.1 API (at least yet),there was still demand for it, since lots of newer distroswere simply not able to build their openssh packages with theirown shipped libcrypto packages. Thats why the Fedora projectadopted patches (this one is already fixed after my report).However they introduced some double-free conditions bymeans of RSA_set0_key() and similar functions. You can readmy report and see in the patch how the order of functioncalls has been changed to fix the double-frees.You can thank me later that I saved your Fedora boxesfrom an ssh 0day.